Sendmail Five Second Greeting Delay

Fri Apr 2 12:33:11 UTC 2010

On 4/1/10, Matthew Seaman wrote:
>
> On 02/04/2010 01:51:27, Norbert Papke wrote:
>> When I connect to sendmail on a local interface, sendmail responds to the
>> connection with its "220" greeting immediately.  If I connect to sendmail
>> from
>> another machine on my (home) LAN, sendmail delays five seconds before
>> sending
>> the greeting.  I would like it to respond immediately.
>
>> A quick search turned up a "greet_delay" feature in sendmail that would
>> cause
>> this type of behavior.  To the best of my knowledge, I do not use this
>> feature.  Just to be sure, I tried to explicitly enable it with both a
>> default
>> 0 second timeout and an explicit 0 second access rule.  This did not the
>> resolve the issue.
>
> For the sake of the archives, I'd like to note that the `greet_pause'
> feature is actually a pretty effective and very cheap to implement
> anti-spam measure.  You need:
>
> FEATURE(greet_pause, `5000')dnl ## 5 seconds
>
> in your $(hostname).mc file -- this gives you a default 5 second delay.
>  If you also have
>
> FEATURE(`access_db')
>
> you can override that value for particular IP ranges or domain names.
>
> This is also a handy addition to the .mc file:
>
> LOCAL_RULESETS
> SLocal_greet_pause
> R$*     $: $&{daemon_flags}
> R$* a $*        $# 0
>
> This turns off greet_pause on network ports where authentication is
> required, ie. if you use port 587 for submitting new mail and reserve
> port 25 for MTA to MTA mail transfers.
>
> The way this works is that it requires the sending side to wait until
> your system prints out the greeting banner.  If the sending side starts
> speaking before then, sendmail will refuse to accept any mail during
> that session.  All real MTAs will get this right, as it is part of the
> SMTP specification in the RFCs.  Many spambots on the other hand, send
> e-mail by simply replaying one side of a recorded SMTP conversation
> without reguard for what the other side says.  This feature weeds out
> that sort of spambot with very little effort.

Useful reading.  Two questions ...

First, I'm wondering what is logged as a result of using greet_pause when
getting slammed by a bot.  Is it something along the lines of "User did
not issue...", "LA LA LA I wasn't listening", or nothing at all?

Secondly, it seems the cause of the OP's problem was a delay associated
with an IDENT query.  Specificially

  confTO_IDENT     Timeout.ident   [5s] The timeout waiting for a
       response to an IDENT query.

If he had local DNS configured, there would be no query, and therefore no
issue, but setting the timeout to 0 seconds using

  define(`confTO_IDENT', 0s)

does remove the delay, but not the underlying problem.

Put another way, I'm wondering why IDENT queries are made?  My knowledge
of that protocol is superficial, but my understanding is that running an
identity service is widely considered a security problem.  FreeBSD doesn't
run identd by default, for example, but it's possible that some Linux
distros do.  The Wikipedia article suggests "It's an IRC thing", but that
doesn't address the default sendmail behavior.

Thanks.